package com.stx.test.serialize.deletFile;

import java.io.*;
import java.nio.file.*;

public class MaliciousDelete implements Serializable {
    private static final long serialVersionUID = 1L;
    
    private String fileToDelete;
    
    public MaliciousDelete(String fileToDelete) {
        this.fileToDelete = fileToDelete;
    }
    
    // 反序列化时自动调用 - 这是漏洞利用的关键
    private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
        in.defaultReadObject(); // 正常反序列化
        deleteFile();           // 恶意代码在这里执行！
    }
    
    private void deleteFile() {
        try {
            Path path = Paths.get(fileToDelete);
            if (Files.exists(path)) {
                Files.delete(path);
                System.out.println("文件已被删除: " + fileToDelete);
            } else {
                System.out.println("文件不存在: " + fileToDelete);
            }
        } catch (Exception e) {
            System.out.println("删除失败: " + e.getMessage());
        }
    }
}